From 0b3b8390f7731645c7afba1227f471aead21a9f2 Mon Sep 17 00:00:00 2001
From: Cheoleun Moon <chleun.moon@samsung.com>
Date: Mon, 29 Apr 2019 10:18:34 +0900
Subject: [PATCH] Fix heap-use-after-free issue

Change-Id: If84ff301e9dd0ec05150210986e38e02d8e76518
Signed-off-by: Cheoleun Moon <chleun.moon@samsung.com>
---
 packaging/capi-network-nsd.spec |  2 +-
 src/dns-sd/dns-sd.c             | 62 ++++++++++++++++++++++++++---------------
 2 files changed, 41 insertions(+), 23 deletions(-)

diff --git a/packaging/capi-network-nsd.spec b/packaging/capi-network-nsd.spec
index 3a821dc..fefa255 100644
--- a/packaging/capi-network-nsd.spec
+++ b/packaging/capi-network-nsd.spec
@@ -1,6 +1,6 @@
 Name:       capi-network-nsd
 Summary:    A Network Service Discovery libraries in Native API
-Version:    0.0.25
+Version:    0.0.26
 Release:    1
 Group:      System/Network
 License:    Apache-2.0
diff --git a/src/dns-sd/dns-sd.c b/src/dns-sd/dns-sd.c
index c5c18b5..43ad9e2 100644
--- a/src/dns-sd/dns-sd.c
+++ b/src/dns-sd/dns-sd.c
@@ -69,7 +69,25 @@ static const char *dnssd_error_to_string(dnssd_error_e error)
 	}
 }
 
-static dnssd_handle_s *__dnssd_check_handle_validity(
+static dnssd_handle_s *__dnssd_check_handle_validity(dnssd_handle_s *handle)
+{
+	__DNSSD_LOG_FUNC_ENTER__;
+	dnssd_handle_s *local_handle = NULL;
+	GSList *list;
+
+	for (list = dnssd_handle_list; list; list = list->next) {
+		local_handle = (dnssd_handle_s *)list->data;
+		if (local_handle == handle) {
+			DNSSD_LOGD("Local handle %p is found", handle);
+			__DNSSD_LOG_FUNC_EXIT__;
+			return handle;
+		}
+	}
+	__DNSSD_LOG_FUNC_EXIT__;
+	return NULL;
+}
+
+static dnssd_handle_s *__dnssd_get_struct_from_handle(
 		dnssd_service_h dnssd_service)
 {
 	__DNSSD_LOG_FUNC_ENTER__;
@@ -269,7 +287,7 @@ static gboolean __dnssd_handle_io_events(GIOChannel *source,
 	}
 
 	handle = (dnssd_handle_s*)data;
-	if (__dnssd_check_handle_validity(handle->service_handler) == NULL) {
+	if (__dnssd_check_handle_validity(handle) == NULL) {
 		DNSSD_LOGE("handle not found %p %u", handle, handle->service_handler);
 		return FALSE;
 	}
@@ -399,7 +417,7 @@ int dnssd_create_local_service(const char *service_type,
 	}
 
 	if (dnssd_service == NULL || service_type == NULL ||
-			__dnssd_check_handle_validity(*dnssd_service) != NULL) {
+			__dnssd_get_struct_from_handle(*dnssd_service) != NULL) {
 		DNSSD_LOGE("Invalid Parameter");
 		__DNSSD_LOG_FUNC_EXIT__;
 		return DNSSD_ERROR_INVALID_PARAMETER;
@@ -446,7 +464,7 @@ int dnssd_destroy_local_service(dnssd_service_h dnssd_service)
 		return DNSSD_ERROR_NOT_INITIALIZED;	//LCOV_EXCL_LINE
 	}
 
-	local_handle = __dnssd_check_handle_validity(dnssd_service);
+	local_handle = __dnssd_get_struct_from_handle(dnssd_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -493,7 +511,7 @@ int dnssd_service_set_name(dnssd_service_h local_service,
 		return DNSSD_ERROR_INVALID_PARAMETER;
 	}
 
-	local_handle = __dnssd_check_handle_validity(local_service);
+	local_handle = __dnssd_get_struct_from_handle(local_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -536,7 +554,7 @@ int dnssd_service_set_port(dnssd_service_h local_service, int port)
 		return DNSSD_ERROR_INVALID_PARAMETER;
 	}
 
-	local_handle = __dnssd_check_handle_validity(local_service);
+	local_handle = __dnssd_get_struct_from_handle(local_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -581,7 +599,7 @@ int dnssd_service_set_interface(dnssd_service_h local_service, const char *inter
 	}
 	DNSSD_LOGD("Interface index: %u", if_index);
 
-	local_handle = __dnssd_check_handle_validity(local_service);
+	local_handle = __dnssd_get_struct_from_handle(local_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -621,7 +639,7 @@ int dnssd_service_add_txt_record(dnssd_service_h local_service,
 		return DNSSD_ERROR_NOT_INITIALIZED;	//LCOV_EXCL_LINE
 	}
 
-	local_handle = __dnssd_check_handle_validity(local_service);
+	local_handle = __dnssd_get_struct_from_handle(local_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -696,7 +714,7 @@ int dnssd_service_remove_txt_record(dnssd_service_h local_service,
 		return DNSSD_ERROR_INVALID_PARAMETER;
 	}
 
-	local_handle = __dnssd_check_handle_validity(local_service);
+	local_handle = __dnssd_get_struct_from_handle(local_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -751,7 +769,7 @@ int dnssd_service_set_record(dnssd_service_h local_service, unsigned short type,
 		return DNSSD_ERROR_NOT_INITIALIZED;	//LCOV_EXCL_LINE
 	}
 
-	local_handle = __dnssd_check_handle_validity(local_service);
+	local_handle = __dnssd_get_struct_from_handle(local_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -809,7 +827,7 @@ int dnssd_service_unset_record(dnssd_service_h local_service,
 		return DNSSD_ERROR_NOT_INITIALIZED;		//LCOV_EXCL_LINE
 	}
 
-	local_handle = __dnssd_check_handle_validity(local_service);
+	local_handle = __dnssd_get_struct_from_handle(local_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -918,7 +936,7 @@ int dnssd_register_local_service(dnssd_service_h local_service,
 		return DNSSD_ERROR_NOT_INITIALIZED;	//LCOV_EXCL_LINE
 	}
 
-	local_handle = __dnssd_check_handle_validity(local_service);
+	local_handle = __dnssd_get_struct_from_handle(local_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -988,7 +1006,7 @@ int dnssd_deregister_local_service(dnssd_service_h local_service)
 		return DNSSD_ERROR_NOT_INITIALIZED;	//LCOV_EXCL_LINE
 	}
 
-	local_handle = __dnssd_check_handle_validity(local_service);
+	local_handle = __dnssd_get_struct_from_handle(local_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -1074,7 +1092,7 @@ static void __dnssd_getaddrinfo_reply_cb(DNSServiceRef sd_ref,
 			found->if_index,
 			local_handle->flags);
 
-	dnssd_handle = __dnssd_check_handle_validity(found->browse_handler);
+	dnssd_handle = __dnssd_get_struct_from_handle(found->browse_handler);
 	if (dnssd_handle == NULL) {
 		DNSSD_LOGD("Invalid browse handle");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -1414,7 +1432,7 @@ int dnssd_start_browsing_service(const char *service_type,
 	}
 
 	if (dnssd_service == NULL || service_type == NULL ||
-			__dnssd_check_handle_validity(*dnssd_service) != NULL) {
+			__dnssd_get_struct_from_handle(*dnssd_service) != NULL) {
 		DNSSD_LOGE("Invalid Parameter");
 		__DNSSD_LOG_FUNC_EXIT__;
 		return DNSSD_ERROR_INVALID_PARAMETER;
@@ -1490,7 +1508,7 @@ int dnssd_start_browsing_service_on_interface(const char *service_type, const ch
 	}
 
 	if (dnssd_service == NULL || service_type == NULL ||
-			__dnssd_check_handle_validity(*dnssd_service) != NULL) {
+			__dnssd_get_struct_from_handle(*dnssd_service) != NULL) {
 		DNSSD_LOGE("Invalid Parameter");
 		__DNSSD_LOG_FUNC_EXIT__;
 		return DNSSD_ERROR_INVALID_PARAMETER;
@@ -1605,7 +1623,7 @@ int dnssd_stop_browsing_service(dnssd_browser_h dnssd_service)
 		return DNSSD_ERROR_NOT_INITIALIZED;	//LCOV_EXCL_LINE
 	}
 
-	local_handle = __dnssd_check_handle_validity(dnssd_service);
+	local_handle = __dnssd_get_struct_from_handle(dnssd_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler 0x%x not found", dnssd_service);
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -1675,7 +1693,7 @@ int dnssd_service_get_type(dnssd_service_h dnssd_service, char **service_type)
 		return DNSSD_ERROR_INVALID_PARAMETER;
 	}
 
-	local_handle = __dnssd_check_handle_validity(dnssd_service);
+	local_handle = __dnssd_get_struct_from_handle(dnssd_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -1708,7 +1726,7 @@ int dnssd_service_get_name(dnssd_service_h dnssd_service, char **service_name)
 		return DNSSD_ERROR_INVALID_PARAMETER;
 	}
 
-	local_handle = __dnssd_check_handle_validity(dnssd_service);
+	local_handle = __dnssd_get_struct_from_handle(dnssd_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -1758,7 +1776,7 @@ int dnssd_service_get_ip(dnssd_service_h dnssd_service, char **ip_v4_address,
 		return DNSSD_ERROR_INVALID_PARAMETER;
 	}
 
-	local_handle = __dnssd_check_handle_validity(dnssd_service);
+	local_handle = __dnssd_get_struct_from_handle(dnssd_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -1817,7 +1835,7 @@ int dnssd_service_get_port(dnssd_service_h dnssd_service, int *port)
 		return DNSSD_ERROR_INVALID_PARAMETER;
 	}
 
-	local_handle = __dnssd_check_handle_validity(dnssd_service);
+	local_handle = __dnssd_get_struct_from_handle(dnssd_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGD("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
@@ -1859,7 +1877,7 @@ int dnssd_service_get_all_txt_record(dnssd_service_h dnssd_service,
 		return DNSSD_ERROR_NOT_INITIALIZED;	//LCOV_EXCL_LINE
 	}
 
-	local_handle = __dnssd_check_handle_validity(dnssd_service);
+	local_handle = __dnssd_get_struct_from_handle(dnssd_service);
 	if (local_handle == NULL) {
 		DNSSD_LOGE("Service Handler not found");
 		__DNSSD_LOG_FUNC_EXIT__;
-- 
2.7.4